Office of the Comptroller of the Currency, Treasury (OCC); Office of Thrift Supervision, Treasury (OTS); Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); National Credit Union Administration (NCUA); Federal Trade Commission (FTC); Commodity Futures Trading Commission (CFTC); and Securities and Exchange Commission (SEC).
Advance notice of proposed rulemaking.
The OCC, OTS, Board, FDIC, NCUA, FTC, CFTC, and SEC (the Agencies) are requesting comment on whether the Agencies should consider amending the regulations that implement sections 502 and 503 of the Gramm-Leach-Bliley Act (GLB Act) to allow or require financial institutions to provide alternative types of privacy notices, such as a short privacy notice, that would be easier for consumers to understand.
Comments must be submitted on or before March 29, 2004.
Because the Agencies will jointly review all of the comments submitted, interested parties may send comments to any of the Agencies and need not send comments (or copies) to all of the Agencies. Commenters that submit trade secrets or confidential commercial or financial information may request confidential treatment of that information in accordance with the Freedom of Information Act (5 U.S.C. 552) and the Agencies' respective regulations regarding availability of information. Because paper mail in the Washington area and at the Agencies is subject to delay, please consider submitting your comments by e-mail. Commenters are encouraged to use the title “Alternative Forms of Privacy Notices” to facilitate the organization and distribution of comments among the Agencies. Interested parties are invited to submit written comments to:
Office of the Comptroller of the Currency: Public Information Room, Office of the Comptroller of the Currency, 250 E Street, SW., Mail stop 1-5, Washington, DC 20219, Attention: Docket No. 03-27, Fax number (202) 874-4448 or Internet address: firstname.lastname@example.org. Comments may be inspected and photocopied at the OCC's Public Information Room, 250 E Street, SW., Washington, DC. You can make an appointment to inspect the comments by calling (202) 874-5043.
Office of Thrift Supervision: Send comments to Regulation Comments, Chief Counsel's Office, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, Attention: No. 2003-62. Delivery: Hand deliver comments to the Guard's Desk, East Lobby Entrance, 1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, Attention: Regulation Comments, Chief Counsel's Office, Attention: No. 2003-62. Facsimiles: Send facsimile transmissions to FAX Number (202) 906-6518, Attention: No. 2003-62. E-Start Printed Page 75165Mail: Send e-mails to email@example.com, Attention: No. 2003-62 and include your name and telephone number. Due to temporary disruptions in mail service in the Washington, DC area, commenters are encouraged to send comments by fax or e-mail, if possible. Availability of comments: OTS will post comments and the related index on the OTS Internet Site at www.ots.treas.gov. In addition, you may inspect comments at the Public Reading Room, 1700 G Street, NW., by appointment. To make an appointment for access, call (202) 906-5922, send an e-mail to firstname.lastname@example.org, or send a facsimile transmission to (202) 906-7755. (Please identify the materials you would like to inspect to assist us in serving you.) We schedule appointments on business days between 10 a.m. and 4 p.m. In most cases, appointments will be available the business day after the date we receive a request.
Board of Governors of the Federal Reserve System: Comments should refer to Docket No. R-1173 and may be mailed to Ms. Jennifer J. Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue, NW., Washington, DC 20551. Please consider submitting your comments by e-mail to email@example.com, or faxing them to the Office of the Secretary at (202) 452-3819 or (202) 452-3102. Members of the public may inspect comments in Room MP-500 between 9 a.m. and 5 p.m. on weekdays pursuant to section 261.12, except as provided in section 261.14, of the Board's Rules Regarding Availability of Information, 12 CFR 261.12 and 261.14.
Federal Deposit Insurance Corporation: Send written comments to Robert E. Feldman, Executive Secretary, Attention: Comments/Executive Secretary Section, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429. Comments also may be mailed electronically to firstname.lastname@example.org. Comments may be hand delivered to the guard station at the rear of the 17th Street building (located on F Street) on business days between 7 a.m. and 5 p.m.; Fax Number (202) 898-3838. Comments may be inspected and photocopied in the FDIC Public Information Center, Room 100, 801 17th Street, NW., Washington, DC 20429, between 9 a.m. and 5 p.m. on business days.
National Credit Union Administration: Comments should be directed to Becky Baker, Secretary of the Board. Mail or hand deliver comments to: National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428. You are encouraged to fax comments to (703) 518-6319 or email comments to email@example.com. Whatever method you choose, please send comments by one method only.
Federal Trade Commission: Comments should refer to “Alternative Forms of Privacy Notices, Project No. P034815.” Comments filed in paper form should be mailed or delivered to: Federal Trade Commission/Office of the Secretary, Room 159-H, 600 Pennsylvania Avenue, NW., Washington, DC 20580. Comments filed in electronic form (in ASCII format, WordPerfect, or Microsoft Word) should be sent to: GLBnotices@ftc.gov. If the comment contains any material for which confidential treatment is requested, it must be filed in paper (rather than electronic) form, and the first page of the document must be clearly labeled “Confidential.”  Regardless of the form in which they are filed, the Commission will consider all timely comments, and will make the comments available (with confidential material redacted) for public inspection and copying at the Commission's principal office and on the Commission Web site at www.ftc.gov. As a matter of discretion, the Commission makes every effort to remove home contact information for individuals from the public comments it receives before placing those comments on the FTC Web site.
Commodity Futures Trading Commission: Comments should be directed to Jean A. Webb, Secretary, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street, NW., Washington, DC 20581. Comments may be sent by facsimile transmission to (202) 418-5528 or by e-mail to firstname.lastname@example.org.
Securities and Exchange Commission: To help us process and review your comments more efficiently, comments should be sent by hard copy or e-mail, but not by both methods. Comments sent by hard copy should be submitted in triplicate to Jonathan G. Katz, Secretary, Securities and Exchange Commission, 450 5th Street, NW., Washington, DC 20549-0609. Comments may also be submitted electronically at the following e-mail address: email@example.com. All comment letters should refer to File No. S7-30-03. This file number should be included on the subject line if e-mail is used. Comment letters will be available for public inspection and copying in the Commission's Public Reference Room, 450 5th Street, NW., Washington, DC 20549. All comments received will be posted on the Commission's Internet Web site (http://www.sec.gov) and made available for public inspection and copying in the Commission's Public Reference Room, 450 Fifth Street, NW., Washington, DC 20549.Start Further Info
FOR FURTHER INFORMATION CONTACT:
OCC: Amy Friend, Assistant Chief Counsel, (202) 874-5200; Stephen Van Meter, Assistant Director, Community and Consumer Law Division, (202) 874-5750; or Heidi Thomas, Special Counsel, Legislative and Regulatory Activities Division, (202) 874-5090.
OTS: Elizabeth C. Baltierra, Program Analyst (Compliance) Compliance Policy, (202) 906-6540; or Paul Robin, Special Counsel, Regulations and Legislation Division, (202) 906-6648.
Board: Thomas E. Scanlon, Counsel, Legal Division, (202) 452-3594; Minh-Duc T. Le or Ky Tran-Trong, Senior Attorneys, Division of Consumer and Community Affairs, (202) 452-3667.
FDIC: April A. Breslaw, Chief, Compliance Section, (202) 898-6609; David P. Lafleur, Policy Analyst, Division of Supervision and Consumer Protection, (202) 898-6569; Ruth R. Amberg, Senior Counsel, (202) 898-3736, or Robert A. Patrick, Counsel, Legal Division, (202) 898-3757.
NCUA: Regina Metz, Staff Attorney, (703) 518-6561, or Ross Kendall, Staff Attorney, Office of General Counsel, (703) 518-6562.
FTC: Toby Milgrom Levin, Senior Attorney, (202) 326-3713, or Loretta Garrison, Senior Attorney, (202) 326-3043.
CFTC: Laura Richards, Senior Assistant General Counsel, (202) 418-5126, or David B. Jacobsohn, Counsel, (202) 418-5161, Office of the General Counsel.
SEC: Brian Baysinger, Special Counsel, Office of Chief Counsel, Division of Market Regulation, (202) 942-0073; or Penelope Saltzman, Senior Counsel, Division of Investment Management, (202) 942-0690.End Further Info End Preamble Start Supplemental Information
Subtitle A of title V of the GLB Act, captioned Disclosure of Nonpublic Start Printed Page 75166Personal Information (codified at 15 U.S.C. 6801 et seq.), requires each financial institution to provide a notice of its privacy policies and practices to its consumer customers. In general, the privacy notices must describe a financial institution's policies and practices with respect to disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties and provide a consumer a reasonable opportunity to direct the institution not to share nonpublic personal information about the consumer with nonaffiliated third parties. The privacy notice must also provide, where applicable under the Fair Credit Reporting Act (FCRA), a notice and an opportunity for a consumer to opt out of the sharing of certain information among affiliates.
The Agencies have published consistent final regulations that implement the privacy provisions of the GLB Act (collectively referred to as “the privacy rule”). The privacy rule requires a financial institution to include in its privacy notices specific items of information, such as the categories of nonpublic personal information that the institution collects and the categories of third parties to which the institution may disclose the information. The rule contains sample clauses that institutions may use in privacy notices. The rule does not, however, prescribe any specific format or standardized wording for these notices. Instead, institutions may design their own notices based on their individual practices provided they are consistent with the law and meet the “clear and conspicuous” standard in the rule.
Financial institutions first were required to distribute privacy notices to their customers by July 1, 2001. Many privacy notices in this initial effort were long and complex. Moreover, because the privacy rule allows institutions flexibility in designing their privacy notices, notices have been difficult to compare, even among financial institutions with identical privacy policies.
In response to broad-based concerns expressed by representatives of financial institutions, consumers, privacy advocates, and Members of Congress, the Agencies conducted a workshop in December 2001 to provide a forum to consider how financial institutions could provide more useful privacy notices to consumers. The workshop featured panel presentations by financial institutions, consumer advocates, and communications experts, and highlighted key communication principles to improve the notices. A number of institutions, particularly those with complex information-sharing practices, described the challenges they faced in explaining their practices and the choices available to consumers in a simple fashion while meeting all of the legal requirements for notice. Some institutions described results of consumer testing and efforts to make their privacy notices clearer and more useful to consumers.
A number of financial institutions have since sought to improve their notices. Additionally, some industry groups have been working to formulate short, consumer-friendly notices that could accompany the longer, legally mandated notices under the rule. The Agencies applaud the efforts by consumer advocates and industry to improve privacy notices to make them more readable and useful to consumers.
To encourage and facilitate the efforts already underway, the Agencies are considering proposing amendments to the privacy rule to provide for privacy notices that are more understandable and useful to consumers. The Agencies believe that this effort could benefit significantly from the breadth and depth of experience that many institutions have gained over the past two years in designing privacy notices, as well as the expertise of communications experts and the input of consumer organizations and comments from the public. Accordingly, the Agencies seek comment on a wide range of issues associated with the format, elements, and language used in privacy notices that would make the notices more accessible, readable, and useful. The Agencies also solicit examples of forms, model clauses, and other information, such as applicable research that has been conducted in this area, that may provide concrete illustrations or evidence to assist the Agencies in considering whether and how to develop various proposals.
Some of the terms and examples used in this Advance Notice of Proposed Rulemaking (ANPR) and sample notices are not suitable for credit unions, which have an organizational and operational structure that is different than other financial institutions. For example, the term customer, in the context of credit unions, generally will mean member, and while credit unions may form subsidiaries, they do not establish corporate affiliations like other financial institutions. Nevertheless, because of the predominance of issues that are common to all types of financial institutions, the NCUA believes its participation is important at this ANPR stage, whether or not it ultimately determines to publish a separate, but consistent and comparable, rule for credit unions.
Based on the information collected for this ANPR, including information collected through independent research conducted by the Agencies, the Agencies will determine whether to propose changes to the privacy rule and, if so, will seek further public comment on specific proposals. The Agencies expect that consumer testing would be a key component in the development of any specific proposals.
II. General Considerations for Improving Privacy Notices
The Agencies are considering developing a range of alternative proposals for public comment to improve the privacy notices that financial institutions must provide to consumers under the GLB Act. The primary matter the Agencies are now considering is whether to develop a model privacy notice that would be short and simple. In order to illustrate, generally, this type of short notice and to spur specific suggestions for additional ideas that the Agencies should consider, a few of the potential alternative approaches are summarized below. These alternatives are also intended to help frame a number of important questions beyond the design of a short notice, such as whether all financial institutions should be required to use the same form of notice and whether a short notice could be a substitute for or should be a supplement to a longer, more detailed notice. The sample notices included in the appendices do not reflect a determination by the Agencies that any of these notices would be satisfactory under the privacy rule or for any particular financial institution. The Agencies note that these alternatives have not been developed as a result of specific research or consumer testing and are not being proposed for Start Printed Page 75167adoption. The Agencies specifically invite suggestions for other approaches to improve the readability and usefulness of privacy notices as set out in section III.
As an initial matter, the Agencies request comment on whether to pursue the development of a short privacy notice. The Agencies note that, should they do so, there are several ways the Agencies could exercise their authority for developing a short notice, and the Agencies have not settled on any single approach. The Agencies could, for example, explore whether an interagency interpretation of the privacy rule, perhaps with model forms or language, would promote the development of privacy notices that are more understandable and useful to consumers. Similarly, the Agencies could develop a set of guidelines or best practices that would enable financial institutions to improve their privacy notices, or the Agencies could propose amendments to the privacy rule. The Agencies request comment on what approaches would be most useful to consumers while taking into consideration the burden on financial institutions.
In a similar approach, the Agencies could develop a short notice with a specific format and standardized language that would be designed to address all of the relevant elements listed in the GLB Act and the privacy rule. Such a notice would permit consumers to compare all relevant elements listed under federal law of the privacy policies of different institutions. However, since information sharing practices may vary, a financial institution may need flexibility in describing the categories of affiliated and nonaffiliated parties to whom it discloses nonpublic personal information. An example illustrating this kind of format and language appears in Appendix B and the categories of parties that may be modified by a financial institution appear in brackets.
Another approach to simplifying privacy notices would involve establishing a standardized format for privacy notices, but allowing financial institutions to provide their own descriptions of their privacy policies and practices. This potential approach may simplify privacy notices and make them more accessible for consumers, yet would permit each financial institution to tailor the language in the notice to suit its own privacy policies and practices. An example of a standardized format is included in Appendix C. Alternatively, the Agencies could prescribe standardized language that a financial institution would use to design its own notice without a format specified by the privacy rule. Standardized language may facilitate comparisons among financial institutions' policies and describe key consumer rights so that consumers could become familiar with circumstances under which information about them may be disclosed to third parties.
Detailed descriptions of ways to improve privacy notices, such as examples of language that may be used, illustrations of formats, and references to the particular requirements of the privacy rule that may need to be amended, will assist the Agencies in learning about and evaluating particular proposals. This ANPR outlines several potential approaches. The Agencies invite comment on the advantages and disadvantages of these approaches. Also, the Agencies request comment on any other approach the Agencies should consider.
III. Request for Comments
Any change in the privacy rule to provide for short notices raises a number of issues. In addition to comment on the various approaches discussed above or illustrated in the appendices, the Agencies request comment and supporting research and documentation on other matters that may be raised by the implementation of a short privacy notice. In particular, the Agencies invite comment on the following questions and supporting documentation where available:
A. Goals of a Privacy Notice
1. What should be the goals of a privacy notice? What goals are most important?
2. Should the Agencies pursue the development of a short notice to achieve these goals?
3. Are there any special issues for the Agencies to consider in developing a short privacy notice that may arise from potential differences between federal and state law requirements?
4. In what ways should a privacy notice be useful to a consumer? Please identify those ways that are the most or least important.
a. To permit ready comparison among different institutions' privacy policies?
b. To provide sufficient information to make an informed decision about whether to opt out?
c. To highlight the consumer's right to opt out?
d. To provide convenient mechanisms for the consumer to opt out?
e. To provide a mechanism for the consumer to opt out in the same medium used to provide the privacy notice?
f. Other ways?
B. Elements of a Privacy Notice
2. Are these key elements the same from the perspective of institutions and consumers? If not, explain the differences and why.
3. Is there an optimal number of elements (beyond which would be too many) to include in a short notice?
5. Should certain elements, such as a description of a consumer's opt-out rights (if applicable), be given prominence or be presented in a certain order?
6. Should statements describing information sharing practices not subject to a consumer's right to opt-out, such as whether a financial institution discloses information to nonaffiliated financial institutions under joint marketing agreements for financial products or services, be highlighted in the short notice?
C. Language of a Privacy Notice
1. Are there particular “privacy” terms or words that consumers readily understand that should be included in a short notice? Should any terms or language currently used in notices be avoided?
2. Should a financial institution be required to use standardized clauses in a short notice?
3. Rather than using standardized language, should a financial institution be permitted to develop its own language in a short notice so long as the short notice incorporates specified items of information?
D. Format of a Privacy Notice
1. Should the Agencies develop a standardized graphic design for a short notice that financial institutions would use? If so, what graphic design would be most suitable for the format of a short notice?
2. Based on experiences with the current privacy notices or tests that have been conducted in this area, what alternative forms of notice are likely to be useful to consumers and/or to financial institutions?
3. Is there a suggested length for a short privacy notice? Is there a suggested length for phrases or sentences within a short notice?
4. Are there suggestions for overall design of the notice, including layout, use of color, graphic devices, font(s), and size(s) of the text in the notice?
5. If a financial institution does not disclose information to third parties that would be subject to a consumer's right to opt out (under either the FCRA or the GLB Act), what form should the privacy notice take?
6. Should an institution be allowed to modify its short privacy notice to include elements that may be required under state laws? If so, then how can a short notice be designed to include those elements?
E. Mandatory or Permissible Aspects of a Privacy Notice
1. Should use of a short notice be mandatory for all financial institutions?
2. Should use of standardized language and/or format for a short notice be mandatory for all financial institutions? Or should each institution be permitted to create its own short notice following agency guidelines?
3. If a short notice is standardized, should only part(s) of the notice be mandatory, and, if so, what part(s)? Or should all of a standardized short notice be mandatory?
4. If use of standardized part(s), such as standardized clauses, is not required, should the Agencies create a safe harbor from administrative enforcement for financial institutions that use the standardized parts in their notices (or a whole, standardized notice)?
5. Should an institution be required or permitted to deliver both a short notice and a long notice?
6. Financial institutions that generally do not share information with third parties—such as those that do not have any affiliates and do not share information in a manner that is subject to a consumer's right to opt out under the FCRA or the GLB Act and do not engage in joint marketing agreements—currently may have abbreviated and simple notices. If a short notice is mandated, should the Agencies make an exception to allow these institutions to continue to use the simple, abbreviated notices they currently use? Alternatively, should the Agencies prescribe a special short notice for these institutions to use?
7. Some financial institutions offer consumers choices to opt out of information-sharing arrangements that are not mandated by either the FCRA or the GLB Act, such as the ability to opt out of an institution's own marketing or joint marketing arrangements with nonaffiliated financial institutions for financial products or services. If a short notice is mandated, should the Agencies allow these institutions to include in the short notice information about these additional choices to opt out?
8. Should the Agencies allow financial institutions to include other information that relates to their privacy policies and practices in their short notices? For instance, should a financial institution that shares information with affiliates for marketing purposes only if a customer opts in to the sharing be permitted to include this information in a short notice?
F. Costs and Benefits of a Short Notice
With respect to consumers or financial institutions, or both:
1. What are the costs and benefits of providing a short notice and how do they compare with the requirements under the current privacy rule?
2. How, if at all, do the costs and benefits of a short notice depend on:
a. Whether the notice is mandatory or permissible?
b. Whether the format of the notice is standardized? On whether the language is standardized?
c. Whether the use of a short notice requires financial institutions to make supplemental privacy information available upon request?
G. Additional Information
1. Are there any models or samples of notices that work particularly well with consumers that the Agencies should consider? Provide any samples and research or supporting documentation.
2. Provide the results and supporting research or documentation of any consumer testing that has been conducted in this area.
3. What processes or types of consumer testing should the Agencies use to evaluate standardized terms or language, formats for notices, and short notices?
4. If the Agencies adopt an alternative form of notice, should consumer education accompany introduction of the new type of notice? If so, what type of consumer education would be effective?
In the event that the Agencies decide to proceed, the Agencies expect to do so through proposed rulemaking. In addition to evaluating the comments submitted in response to this ANPR, the Agencies contemplate that consumer testing would be an important element of the development of any alternative type of privacy notice.Start Signature
By Order of the Board of Directors.
Dated at Washington, DC, this 2nd day of December, 2003. Federal Deposit Insurance Corporation.
Robert E. Feldman,
By the National Credit Union Administration Board on December 18, 2003.
Secretary of the Board.Start Printed Page 75169
Dated: December 22, 2003.
By the Securities and Exchange Commission.
Margaret H. McFarland,
Dated: December 8, 2003.
By the Office of Thrift Supervision,
James E. Gilleran,
Dated: December 18, 2003.
Jean A. Webb,
Secretary of the Commodity Futures Trading Commission.
Dated: November 14, 2003.
John D. Hawke, Jr.,
Comptroller of the Currency.
Dated: December 17, 2003.
By Direction of the Commission.
Donald S. Clark,
By order of the Board of Governors of the Federal Reserve System, December 22, 2003.
Jennifer J. Johnson,
Secretary of the Board.
1. Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must also be accompanied by an explicit request for confidential treatment, including the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. The request will be granted or denied by the Commission's General Counsel, consistent with applicable law and the public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).Back to Citation
2. The FDIC and SEC do not edit personal, identifying information such as names or e-mail addresses from electronic submissions. Submit only information you wish to make publicly available.Back to Citation
5. As stated above, the Agencies will jointly review all of the comments submitted, including those comments submitted to only one agency. Commenters may request confidential treatment of any trade secrets and commercial or financial information that is privileged or confidential information provided to the Agencies in accordance with the Freedom of Information Act (5 U.S.C. 552) and the Agencies' respective regulations regarding availability of information. 12 CFR part 4, subparts B and C (OCC); 12 CFR part 505 (OTS); 12 CFR part 261, subparts A and B (Board); 12 CFR part 309 (FDIC); 12 CFR 792.29 (NCUA); 16 CFR 4.10 (FTC); 17 CFR 145.9 (Petition for Confidential Treatment) (CFTC); 17 CFR part 200, subpart D (SEC).Back to Citation
BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P; 6720-01-P; 7535-01-P; 6750-01-P; 6351-01-P; 8010-01-P
[FR Doc. 03-31992 Filed 12-29-03; 8:45 am]
BILLING CODE 4810-33-C; 6210-01-C; 6714-01-C; 6720-01-C; 7535-01-C; 6750-01-C; 6351-01-C; 8010-01-C